A serious security vulnerability has been discovered in the core runC container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorised, root-level access to the host operating system.
The vulnerability, identified as CVE-2019-5736, was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.
The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel.
Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers.
runC Container Escape Vulnerability [CVE-2019-5736]
Though researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat advisory says the “flaw was found in the way runC handled system file descriptors when running containers.”
Thus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it.
For root access to the container, the attacker has to either:
- create a new container using an attacker-controlled image, or
- attach (docker exec) into an existing container which the attacker had previous write access to.
“A malicious container [then] could use this flaw to overwrite contents of the runC binary and consequently run arbitrary commands on the container host system,” the advisory states.
How bad is this vulnerability?
Scott McCarty, principal product manager for containers at Red Hat, says, “While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents.”
images from Hacker News